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In this paper we revisit the well-known technique of predicate abstraction to characterise performance 
attributes of system models incorporating probability. We recast the theory using expectation trans- 
formers [8], and identify transformer properties which correspond to abstractions that yield never- 
theless exact bound on the performance of infinite state probabilistic systems. In addition, we extend 
the developed technique to the special case of "data independent" programs 1141 incorporating prob- 
ability. Finally, we demonstrate the subtleness of the extended technique by using the PRISM model 
checking tool H] to analyse an infinite state protocol, obtaining exact bounds on its performance. 

1 Introduction 

Automated analysis of infinite (very large) state systems often relies on abstractions wliich summarise tlie 
essential behaviour as a finite state "anti-refinement" in such a way as to guarantee the desired properties 
(if indeed they hold). Typically, however, abstractions introduce nondeterminism, and in a probabilistic 
system this can lead to a high degree of imprecision in the estimated probabilistic properties. The choice 
of abstraction therefore is critical; some approaches to finding the right one use "abstraction refinement", 
sometimes relying on counterexamples of failed attempts to obtain incremental improvements Q. 

In this paper we revisit the technique of "predicate abstraction" from the perspective of "expectation 
transformers". Predicate abstraction refers to the notion of approximating a system using a given set of 
predicates: states ai^e grouped together according to the predicates they satisfy (in the given set), and the 
system is abstracted by tracking only the transformations expressible in the induced equivalence classes. 
Expectation transformers HI is a generalisation to probabilistic systems of Hoare/Dijkstra-style semantic 
reasoning ll20l — predicates ai^e replaced by real-valued functions of the state. The approach is equivalent 
to operational models of programming based on Markov-Decision Processes, but results in a convenient 
proof system for verifying general properties of probabilistic programs. 

In particular we ai^e able to characterise, using expectation transformers, a simple criterion for when 
an abstraction gives exact quantitative analysis for probabilistic properties. The criterion is sufficient to 
identify when predicate abstraction introduces no additional nondeterminism. A typical class of programs 
where this is effective is the so-called class of "data independent" programs |[T4l . A program is data 
independent whenever its control structure does not depend on the precise values of the data. Wolper 
|[T4l first identified this as a class of interesting programs amenable to verification via model checking 
||9]| . In addition to Wolper 's idea, we consider the notion of probabilistic data independence where the 
probabilistic choice cannot be dependent on the data. In general, the idea we propose here is aimed 
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at constructing abstractions which result in no loss of information especially when probability plays a 
crucial role in the performance analysis of infinite state system models. Such abstractions are said to be 
"information-preserving" since they suffice as exact representations of their original systems. 

Using the expectation transformer approach we prove the "folk theorem" (see HI) for probabilistic 
systems: that data independent programs can be treated with predicate abstraction yielding exact results 
on threshold properties such as "the probability that a set of states has been reached in at most k steps". 

In particular our contributions in this paper are: 

(i) The development of a technique which permits the application of predicate abstraction to proba- 
bilistic programs using expectation transformers; 

(ii) An establishment of a criterion for identifying abstractions which do not lose information; 

(iii) We show how the developed technique and criterion can be apphed to data independent programs 
especially when probability plays a crucial role; 

(iv) And finally, a demonstration of the technique on a case study of a system with potential infinite 
state behaviour. 

This paper is structured as follows: In Sec. El we summarise the expectation transformer semantics 
for probabilistic programs, Sec. |3] is the development of the technique for predicate abstraction using 
expectation transformers. In Sec.|4]we show how the technique can be applied to identify when predicate 
abstraction yields exact thresholds for infinite state systems; we then explore the special treatment of 
data independent programs. In Sec. [5] we illustrate the technique by model checking the Rabin's choice 
coordination problem (also known as the distributed consensus) fT3\ ; this is a protocol which has the 
potential to require unbounded resources on its performance and therefore cannot be verified directly 
with a model-checking approach. However the theory of Sec.|4]shows that the results we obtain using its 
information-preserving abstraction are nevertheless exact interpretations of its performance. 

1.1 Summary of notation 

Function application is represented by a dot, as in /-jc (rather than f{x)). We use an abstract state space S. 
Given predicate Pred we write [Pred] for the characteristic function mapping states satisfying Pred to 1 
and to otherwise, punning 1 and with "True" and "False" respectively. Whenever e,e' are real- valued 
functions over S we write e + e', e U e', e □ e' for the pointwise addition, maximum and minimum. 
Moreover axe is e scaled by the real a. 

For commutative operator 0, we use (0;c € X ■ f -x) for the comprehension which applies between 
all instances f -x a.s x ranges over X. For example, ( U x G [0, 1] •;c^) gives the maximum value of x^ as 
X ranges over the closed interval [0, 1]. 

2 Probabilistic program semantics and expectation transformers 

When programs incorporate probability, their properties can no longer be guaranteed "with certainty", 
but only "up to some probability". For example the program 

inc = X := x/2 1/2© x+l , (1) 

sets the integer- valued variable x to x/2 (the result of the integer division) only with probability 1/2 
— in practice this means that if the statement ([T]) were executed a large number of times, and the number 
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of times that x was halved or increased tabulated, roughly 1/2 of them would record x as having been 
halved (up to well-known statistical confidence flSl ). 

The probabilistic guarded command language pGCL |[8l and its associated quantitative logic were 
developed to express such programs and to derive their probabilistic properties by extending the classical 
assertional style of programming. Programs in the pGCL are modeled (operationally) as functions (or 
transitions) which map initial states in S to (sets of) probability distributions over final states — the 
program at ([T]) for instance has a single transition which maps any initial state x = Icq to a (single) final 
distribution; we represent that distribution as a function d, evaluating to 1/2 when;c = Icq/I or x = ko+l. 

Since properties are now quantitative we express them via a logic of real-valued fimctions, or expec- 
tations. For example, the property "if the initial state satisfies x = x = 2, then the final value of x is 
1 with probability 1 /2" can be expressed as the expected value of the function [x = 1] with respect to d, 
which evaluates to l/2x 1 + 1/2x0 = 1/2, when x is initially 2 for example. 

Direct appeal to the operational semantics quickly becomes impractical for all but the simplest pro- 
grams — better is the equivalent transformer-style semantics which is obtained by rationalising the above 
calculation in terms of expected values rather than transitions, and the explanation runs as follows. Writ- 
ing (aS for the set of all (non-normalised) functions from S to the interval [0, 1], which we call the set of 
expectations, we say that the expectation [x=l] has been transformed to the expectation [x = 0\/x = 2]/2 
by the program inc (dJ above so that they are in the relation "1 /2 is the expected value of [x = 1] with 
respect to inc's result distribution whenever x is initially either or 2". More generally given a program 
Prog, an expectation e in £"5 and a state 5 € 5, we define vjp.Prog.e.s to be the expected value of e with 
respect to the result distribution of program Prog if executed initially from state s. We say that wp.Prog 
is the expectation transformer relative to Prog. In our example that allows us to write 

[x = 0Vx = 2]/2 = wp.(x:= x/2i/2ex:= x+l).[x = 1] . 

In the case that nondeterminism is present, execution of Prog results in a set of possible distributions and 
we modify the definition of wp to take account of this — indeed we define wp.Prog.E.s so that it delivers 
the tea^^-expected value with respect to all distributions in the result set. The transformers [81 give rise 
to a complete characterisation of probabilistic programs with nondeterminism, and they are sufficient to 
express many performance-style properties, including the probability that an event occurs, the expected 
time that it occurs, and long-run average of the number of times it occurs over many repeated executions 
of the system. 

In Fig. [T] we set out the semantics for the pGCL, a variation of Dijkstra's GCL with the addition of 
probabilistic choice. All the programming features have been defined previously elsewhere, and (apart 
from probabilistic choice) have interpretations which are merely adapted to the real-valued context. For 
example, nondeterminism, as explained above, is interpreted demonically and can be thought of as being 
resolved by a "minimal-seeking demon", providing guarantees on all program behaviour, such as is 
expected for total correctness. Probabilistic choice, on the other hand, selects the operands at random 
with weightings determined by the probability pai^ameter p. Iteration is defined by a least fixed point of 
a monotone expectation-to-expectation function^ 

We end this section with a discussion of a simple performance property: a probabilistic analysis of 
the number of iterations until termination. Given a loop do G — > Prog od which executes the program 
Prog until G becomes false, we can compute the probability that the loop has executed no more than k 

'Well-definedness is guaranteed by, for example, restricting the expectations to lie in the real interval [0, 1] or to complete 
the reals with oo. These issues have been discussed elsewhere (8). 
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skip wp.skip.ii = E , 

abort wp. abort. £■ = , 

assignment wp.(x := f).E = E[x := f] , 

sequential composition vjp.{r'^r').E = wp.r.{wp.r' .E) , 

probabilistic choice wp. (r p(B r').E ^ p x wp. r.E + (1— p) x wp.r' .E , 

nondeterministic choice wp.{r | r').E = wp. r.E H wp./.E , 

Boolean choice wp.(if G then r else r').E = [G] x wp. r.E + [^G] x wp.r' .E , 

Iteration wp.(do G^r od). E = {^X • [^G]xE +[G]xwp.r.X) . 

E is an expectation in ffS', and / is a function of the state, and n is pointwise minimum. The real p is restricted 
to lie between and 1, and the term (jxX . . . ) refers to the least fixed point with respect to <, which we hft to real- 
valued functions. Commands are ordered using refinement, so that more refined programs improve probabilistic 
results, thus P iff (V/i £ SS ■ wp.P.E < wp.Q.E); note also that the monotone property of wp is such that if 
E <E then wp.P.E < wp.P.E , where P, Q are program commands and E,E are expectations. 

Figure 1: Structural definitions of wp for the pGCL. 



times on termination as: 

wp.do G ^ Prog;n := n+l od.[n < k] , (2) 

where n is a fresh variable, not occurring in Prog. Informally, if n is initialised to before the execution 
of the loop and is incremented after each execution of Prog, this expresses the (minimum) probability 
that its value on exiting the loop does not exceed k. When no nondeterminism is present the expression in 
dill computes an exact bound for expected performance; when it is present it computes the greatest lower 
bound. However upper bounds can be calculated using a maximum interpretation of nondeterminism but 
we do not discuss that interpretation here. 

In this section we have summarised an expectation transformer approach to probabilistic semantics. 
In many cases, especially for performance, the exact analysis of the system in this style is impractical; an 
alternative to calculation is model checking, however this is not viable for very large or infinite systems. 
Predicate abstraction is a popular approach to approximating such programs, and in the next section we 
develop the expectation transformer approach to predicate abstraction for probabilistic programs. 



3 Abstract expectation transformers 

Predicate abstraction is a standard technique for defining abstractions of transition systems. In this section 
we will show how to define it for probabilistic programs using expectation transformers. The approach is 
inspired by Ball's formalisation of predicate abstraction for standard sequential programs using weakest 
precondition semantics ifTTl . 

Let <I> be a (finite) set of predicates over the state space S. The standard predicate abstraction over O 
is induced by the equivalence class: 

s^<s>s' iff (V0 €<I>-^.5 = 0./) • 

Given a transition system T over 5, the abstract transition system T / ~<j) takes the equivalence classes 
given by 5/ ~<j) as the state space, and their transitions f — >■ f in T/ provided that there exists a 
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transition s ^ t in T. The probabilistic generalisation is somewhat more complicated to define. On the 
other hand the expectation transformer semantics characterises operational behaviour, and the approach 
we take here is to define the abstract transition system over S/^ using a generalisation of Ball's idea. 

Let cubes.O be the (finite) set of (non trivial) minimal predicates formed by taking negations and 
conjunctions of predicates in <I>. The set cubes. <I> con^esponds to the (set of) equivalence classes S/'-^,^,, 
and represents the abstract state space of the abstraction induced by Let cubed<j) : S'S ^ S'Sbe defined 

cubedcji.e = { U c e cubes.^ ■ { U X[c] < e ■ X[c])) . (3) 

We note that cubed^.e is unique and would usually be a linear combination of the elements of cubes. <I>, 
hence making it the sum of scaled cubes over the latter. Consequently, cubed.e is the weakest approxi- 
mation of e with respect to the granularity expressible by conjunctions, negations and disjunctions in <I>. 
We say that e is cubed relative to O exactly when e = cubed(j>.e. Note that cubed. cubed. e = cubed.e and 
that sums, maxima and minima of cubed expressions are still cubes, i.e. 

3(a) cubed. (cubed.e + cubed.e') = (cubed. e + cubed.e') , 
3(^7) cubed. (cubed.e U cubed. e') = (cubed. e U cubed.e') , 
3(c) cubed. (cubed.e □ cubed. c') = (cubed. e □ cubed.e') . 

Definition 1. Given a pGCL program Prog, and a set of predicates 0, and expectation e over S we define 
the abstract weakest expectation relative to <I> as: 

wp^.Prog.e = cubedo.wp.Prog.e . 

We write Prog^^for the corresponding abstract program operating over the abstract system S/^. This 
implies that Prog<^ is determined by wp^. Prog. 

As an example, consider the program inc at (O operating under arithmetic modulo 4. The underlying 
state space is defined by < ;c < 4; consider now the set O consisting of the single predicate x = 0\/x = 2; 
the set of cubes cubes.O = {(x = 0Vx = 2),(x= lVx = 3)}, implying that the induced predicate 
abstraction has two states. We can see now that 

wp^./nc.[x = 1 Vx = 3] = [x = OVx = 2]/2 , 
and wp(j>.mc.[x = Vx = 2] = [x = 1 Vx = 3]/2 , 

which is consistent with the abstraction in Fig. |2l where each abstract state has a probability of at least 
1/2 of being transformed to the other state, with the remaining probability being assigned to a nondeter- 
ministic update. 

The next lemma sets out some properties of the abstract expectation transformer. 

Lemma 1. Let Prog, Prog' be programs, sets of predicates, and e,e' expectations and a a real. 

The following inequalities apply: 



(1) 


wp^.Prog.e 


< 


wp.Prog.e 


(2) 


wp^. Prog. e 


< 


wp^^cp' -Prog. e 


(3) 


\Np0.Prog.e + \Np^.Prog.e' 


< 


wp^.Prog.{e + e') 


(4) 


axwpcp. Prog. e 




\Np^.Prog.{axe) 


(5) 


{wp^.Prog.e-l) U 0) 


< 


^p^.Prog.{{e-\) U 0) 



Proof.' The inequalities and equalities all follow from arithmetic and Def. [7] 
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The transition system on the left represents the program inc over the state space defined by < x < 4, using 
arithmetic modulo 4. Each solid black arrow occurs with probability 1 /2. The transition system on the right is 
the abstraction based on<t> = {jc = OVjic = 2}. Here we can see non determinism (indicated by dotted Unes) is 
introduced after any transition which divides the value of x by 2. 

Figure 2: The transition system for inc and an abstraction. 

Lem.[T] confirms our intuition that (1) the properties measured with respect to the abstraction are no 
more than with respect to the original program; (2) finer-grained abstractions give more accurate results 
and (3,4,5) \Np^.Prog corresponds to a well-defined probabilistic transition system HI. 

For standard transitions systems (with no probability) an abstract system Prog^ is determined directly 
from the control structure and assignment statements. This corresponds to wp^ distributing through the 
program operators. For probabilistic systems this is not the case. For example, the program inc; inc 
(with addition modulo 4) we may compute 3[x = 0Vx = 2]/4 < wp^.{inc;inc) .[x = OVx = 2], whereas 
[x = OVx = 2]/4 = wp,j,./«c.(wp<j,./«c).[x = OVx = 2], implying that the nondeterminism introduced at 
each abstract transition will increase the inaccuracy. Comparing with Fig.|2]we see that nondeterminism 
is introduced at each abstract transition, and this could be resolved in the abstract system in such a way 
that there is only 1/4 chance of returning to the initial abstract state. 

The following lemma shows that wptj, only distributes through nondeterminism, and only subdis- 
tributes through sequential composition and probabilistic choice. 

Lemma 2. Let Prog, Prog' be programs, 0,0' sets of predicates, and e,e' expectations. The following 
inequalities apply: 

(4) \Np^.{Prog\\Prog').e = wp^.Prog.e n wp^p-Prog' .e 

(5) wp^. Prog. {wp^. Prog' ).e < wp^. {Prog;Prog').e 

(6) wp^. (Prog) p®vjp^.Prog'.e < wp^. {Prog p® Prog'). e 

Proof." The inequalities and equalities all follow from arithmetic and Def. [7] 

Lem. |2] implies that whenever nondeterminism is introduced, the analysis of a program abstracted 
at each program statement could be too coarse to verify a desired quantitative threshold. This is not a 
problem when the abstraction does not introduce nondeterminism. Consider the program 

twoFlip = x:=Op®x:= \;y:=Oq®y:= \ , (4) 

and the set of predicates = {x = y,x ^y}. The resulting transition system over the state space defined 
by X and y is set out in Fig. |3] together with the abstraction induced by this O. 



UkNdukwu andAKMcIver 



135 




The transition system (labelled with probabilities) on the left represents the program twoFlip over the state space 
defined by variables x and y, each of which can take or 1 value in the states {x,y). Each branch is executed with 
the probability that it occurs; only the transitions from x = y = are illustrated, with transitions from the remaining 
states similarly calculated. The transition system on the right represents the abstraction which only keeps track of 
whether x and y are equal or not. Since no nondeterminism is introduced, properties at that level of granularity can 
be accurately calculated using this abstraction. 

Figure 3: The transition system for twoFlip and an abstraction. 

Observe how no nondeterminism has been introduced in this abstraction — since indeed 
\Np^.{twoFlip;twoFlip) = wp^.{twoFlip);wp^.{twoFlip). Intuitively this tells us that properties which 
can be stated at the granularity of O can be computed accurately from its corresponding abstraction. In 
the next section we formalise our intuition using expectation transformers. 

4 Information-preserving abstractions and expected time to terminate 

In this section we introduce "information-preserving" abstractions and study how they apply to the com- 
putation of exact bounds on performance-style properties of probabilistic programs. 

As we saw above, an abstraction which does not introduce nondeterminism preserves the exact be- 
haviour of the program at the granularity of the chosen set of predicates. Programs which do not exhibit 
nondeterminism or aborting behaviours satisfy the special properties that: 

\N'p^.Prog.{e + e) = \N'p^.Prog.e + \N'p^.Prog.e 
wp^.Prog.{l-e) = l-wp^.Prog.e 

for any deterministic pGCL program command Prog, set of predicate <I>, and expectations e,e'. The next 
definition formalises that idea in terms of expectation transformers. 

Definition 2. Given a deterministic program Prog and a set of predicates we say that the abstraction 
induced by ^> is information-preserving if: 

wp<j> .Prog. [c] = wp.Prog.[c\ , 

for all c G cubes. <I>. 

To see Def.|2]in action, observe that 
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vjp.inc.[x = Oy X = 2] 

[;t; = 0Vx = 3]/2+[x= 1] 

[x = lyx = 3]/2 
\Np0.inc.[x = Vx = 2] , 



implying the introduction of a nondeterministic branch at the abstract state corresponding tox=lVx = 3. 

A more efficient way to check for information-preservation is simply to check that \Np.Prog.[<p] is 
cubed for all € <I>; the next lemma shows that this is sound. 

Lemma 3. Let Prog be a deterministic (probabilistic) program, and let ^ be a set of predicates. If 
wp.Prog.[0] is cubed for all ^ then the abstraction induced by <I> is information-preserving. 
Proof; We need to show that wp.Prog.[c] = vjp^.Prog.[c]for all c € cubed.O. Note that each such c 
is generated from negations and conjunctions, so all we need show is that for predicates ^f' such that 
\Np.Prog.[^f\ and vjp.Prog.[\\f'] are cubed, then so too are wp.Prog.(l — [i/a]) and \Np.Prog.[\if /\ \\f'\ 

The result follows since \Np. Prog. [y ^Y'] = (wp.Prog.fi/A] +wp.Prog.[v]' ~ 1) U 0> and\Np.Prog.{\ — 
[y]) = 1 — vjp.Prog.[\l/], and the fact that sums and inverses of cubed expressions are still cubed. 

As mentioned above, a key characterising property of information-preserving abstractions is that 
they generate no new nondeterminism. A probabilistic program exhibits no (demonic) nondeterminism 
if its expectation transformer semantics distributes addition. The next lemma shows this for information- 
preserving abstractions. 

Lemma 4. Let Prog be a deterministic (probabilistic) program, and let ^ be a set of predicates inducing 
an information-preserving abstraction on Prog. The predicate transformer wp^. Prog is deterministic on 
cubed expectations. 

Proof.' Tlie result follows by showing that vjp.Prog = vjp^.Prog on cubed expressions. Assume first 
that c,c' € cubes. and that X,X' are reals. We reason as follows: 



Observe finally that the equality generalises for expressions consisting of finite sums of cubes, and the 
fact that there are only finitely many distinct cubes whenever <I> is finite. 

In particular we can now see that information-preserving abstractions compute exact results for all 
cubed expressions: 

Corollary 1. Let Prog be a deterministic (probabilistic) program, and let ^ be a set of predicates induc- 
ing an information-preserving abstraction on Prog. Then wp^.Prog.e = wp.Prog.e whenever e is cubed. 
Proof.' Follows since if e is cubed then it is a finite sum of scaled cubes, and by Lem. ^\Np^.Prog 
distributes addition. 

4.1 Computing abstractions component-wise 

The above notions assume that the abstraction is calculated wholesale on the program Prog; in practice it 
may be more efficient to calculate the abstraction by computing it relative to, and on smaller components 
of the program, however as Lem. |2] (5,6) indicate, additional inaccuracies can creep in wherever the 
abstraction is computed from program components. 



< 



< 



v^p^.Prog.{X[c]+X'[c']) 
wp./'rog.(A[c]+A'[c']) 
Xwp.Prog. [c] + X'wp.Prog. [c'] 
Xwp^.Prog.[c]+ X'wp^.Prog.[c'] 
wp^.Prog.{X[c]+X'[c']) . 



Lem.Ul(l) 
Prog is deterministic 
Prog is information-preserving 
Lem.Ul(3) 
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Fortunately this does not occur in the case of information-preserving abstractions: Lem. |4]is key to 
verifying that information-preserving abstractions are determined from their components alone, provided 
that they themselves are also information-preserving. In practical terms this means that in a transition- 
system, provided each transition preserves the information, then so will the abstraction. In our predicate 
transformer framework, we need to show that wp,;, distributes sequential composition and probabilistic 
choice. 

Lemma 5. Let Prog, Prog' be deterministic (probabilistic) programs, and let ^ be a set of predicates 
inducing an information-preserving abstraction on each. The following inequalities apply: 

(5') wp^.Prog.{wp^.Prog') = wp^. {Prog;Prog') 
(6') \Npcp.Prog p(Bwp,p-Prog' = wp^.{Prog p® Prog') . 

Proof: Follows easily from Lem. |4]since vjp^.Prog and wp^.Prog' are both cubed expressions. 
4.2 Computing average performance 

Significantly, we can now compute expected performance profiles exactly from the abstraction. 
Lemma 6. Let Prog be a deterministic program, and information-preserving with respect to <I>, and 
suppose that G, (n <k) £ where k is an integer The following equalities hold: 

\Np. {do G ^ Prog;n := n-\-l od).[n < k] = wp. {do G ^ Prog^;n := n+l od).[n < k] , 

where G represents the abstraction ofG in S/ 
Proof.- 

Let N = wp.(do G — Prog;n := n+l od).[?i < k], andN^ = wp.(do G Prog^;n := «+l od).[n < k]. 
By Lem. \J\(1), and monotonicity of the programming language Fig. \J\ we see that N(p < N. To show 
that N < N(p we note that N and N<p are both least fixed points of monotone expectation-to-expectation 
functions. We use the least fixed point property of functions over partially-ordered sets, i.e. that iff.x < x 
then }X.f <x [2]. Applied to N and Nc^ we establish that Nci> satisfies the least fixed point equation for N 
as follows: 

[G] x[n<k] + [-^G] xwp^.Prog.N 
= [G] x[n<k] + [-iG] xwp.Prog.N(t, cubed<i,.A'<i> = N,}> (see below); Lem. H] 

= Nip. is a fixed point 

The result now follows since N is the least fixed point of the function (Ax • [G] x?i + [-iG] xwp.Prog.x). 

For the "see below " part, note that N<p is itself a fixed point, satisfying: N<p = [G] x [n < ^] + 
[-^G] x\Np^.Prog.Ncp. It now follows that N<p is cubed since wp^.Prog.e is, for any expression e. 

More generally exact bounds can be computed even when the program exhibits finitely-branching 
nondeterminism. 

Corollary 2. Let Prog^ ...Prog^^^ be deterministic and information-preserving with respect to Let 
G G and n afresh variable. The following equality holds: 

wp.Prog.{do G — > {Progi Q . . . [| Prog,„ od).[n < k] 
= wp.Prog.(do G {Progi^ Q . . . Q Prog,,,^ od).[n < k] . 
Proof.' The proof is similar to Lem. ^since nondeterminism distributes by Lem. \1\(4). 

The significance of Cor. |2] is that whenever the abstraction is known to be information-preserving 
component-wise over a program (or transition system), then exact performance can be carried out on the 
abstraction. An important class of such programs ai^e the so-called "data independent" systems, to which 
we turn in the next section. 
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4.3 Data independence 

A program is said to be data independent (with respect to a data type X) [14] if it cannot perform 
operations involving specific values of the type: specifically it can only input, output, store and make 
comparisons using any relational operator & G {=, <, <,>,>,... }. Wolper points out that many dis- 
tributed protocols fall into this category — he shows that such systems can be model checked accurately. 
In fact, if we extend this informal definition to probabilistic programs such that all probabilistic choices 
are constants, then our results above imply that there is an abstraction which can be used to compute 
performance properties exactly, namely the abstraction induced by predicates W = {x&y \ yx,y program 
variables of same type}. We use this intuition to define a simple characterisation of data independent 
programs: they are the programs which are information-preserving with respect to *F (with informal 
definition above). 

Definition 3. Let Prog be a deterministic pGCL program with variables x\ . . .x,„. We say that Prog is 
data independent with respect to xi . . .x^ provided that Prog is information-preserving with respect to the 
abstraction induced by where ^ is the set of predicates containing all expressions of the form Xj yj 
for all 1 < ij, < m. 

Note that this characterisation of data independence can be generahsed to programs Progi [| • • • [| Prog,^ 
which exhibit nondeterministic behaviour by ensuring that the deterministic components Prog^ comply 
with Def.|3] Note that this definition shares some similarities with Wolper's denotational characterisation 
031, in that Def.[3]captures the idea that properties expressible at the granularity of aie shared by both 
Prog^ and Prog. It does not deal with general types however, as does Lazic llT6l . 

With Def. [3] we can now conclude that data independent probabilistic programs have abstractions 
which preserve performance bounds. 

Lemma 7. Let Prog be a data independent program. Then the expected number of iterations do G — ?> 
Prog od may be computed exactly using the abstract program Progx^ whenever G € ^F, where *F is defined 
in Def.\3\ 

The practical implication of Lem. [T] (which follows directly from Lem. [6] and Cor. ^ is that perfor- 
mance (and correctness) of data independent programs can be analysed exactly using model checking. 
In the next section we give an example to illustrate this idea. 

5 Case study: Rabin's distributed consensus 

We illustrate the effectiveness of our technique on the Rabin's choice-coordination problem |[T3l . The 
state space generated on execution of the algorithm is potentially infinite hence limiting the scope of 
model checking on verifying liveness properties (such as termination conditions) relating to its overall 
performance. As we will see, even though the algorithm is not quite data independent, there does exist 
an information-preserving abstraction demonstrating that exact numerical analysis is still possible on its 
performance. 

5.1 Informal description 

A group of tourists are to decide between two meeting places (which are not of interest to us). A major 
constraint is that they may not communicate as a group; nor is there a central "authority" {e.g. a tour 
guide) whose decision ovemdes theirs. 
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Each tourist carries a notepad on which he will write various numbers; outside each of the two 
potential meeting places is a noticeboard on which various messages will be written. Initially the number 
zero appears on all the notepads and on the two noticeboards. 

Each tourist decides independently (demonically) which meeting place to visit first, after which he 
strictly alternates his visits between them. At each place he looks at the noticeboard, and if it displays 
"here", he goes inside. If it does not display "here" it will display a number instead, in which case the 
tourist compares that number K with the number k on his notepad and does one of the following: 

if ^ < ^ — The tourist writes K on his notepad (erasing k), and goes to the other place. 

if k> K — The tourist writes "here" on the noticeboard (erasing K), and goes inside. 

if k = K — The tourist chooses , the next even number larger than K, and then flips a coin: if it 
comes up heads, he increases ^ by a further one. He then writes K on the noticeboard and on his 
notepad (erasing k and K), and goes to the other placeH 

A key characterisation of the Rabin's algorithm, which has also been proved elsewhere lUl is that, on 
termination all the tourists' will converge at the same meeting place, and that happens with probability 
1. However it is not always the case that an "observer" can witness every state of the program that will 
lead to termination. For example, it is possible that the tourists will forever (according to an observer) 
keep updating their notepads and the noticeboards without deciding on a meeting place. This enforces 
an unbounded state behaviour on the algorithm. Nonetheless, given the unbounded state nature of the 
algorithm, our theoretical results still permit us to study a suitable performance attribute of the system: 
the expected number of rounds (or steps) of the protocol until termination (analogous to convergence). 

5.2 A pGCL snapshot of the Rabin's algorithm 

Fig. |4](on the next page) gives an overview of the Rabin's choice-coordination problem in the pGCL. 
We call the two meeting places "left" and "right" as we discuss it and refer to the notation^ accordingly. 
Bag lout (rout) is the bag of numbers held by tourists waiting to look at the left (right) noticeboard; bag 
lin (rin) is the bag of numbers held by tourists who have already decided on the left (right) alternative; 
number L (R) is the number on the left (right) noticeboard. Initially there are A (B) tourists on the left 
(right), all holding the number zero; no tourist has yet made a decision, and both noticeboards show zero. 

Execution is as follows: if some tourists are still undecided (so that lout (rout) is not yet empty), 
select one: the number he holds is / (r). If some tourist has already decided on this alternative (so that lin 
(rin) is not empty), this tourist does the same; otherwise any of the three possibilities discussed above is 
executed. 

5.3 Computing average performance of the Rabin's algorithm 

In this section we discuss properties of the Rabin's algorithm sufficient for an analysis of its average per- 
formance. Since the unbounded state nature of the algorithm limits the scope of model checking on the 

^For example if ^ is 2 or 3, then K becomes 4 and then possibly 5. 

^[[ ... ]] — bag (multiset) brackets; □ — empty bag; [[ n ]] — bag containing A' copies all of value /i; take n from b — a 
program command which chooses an element demonically from non-empty bag b, assigns it to n and removes it from b; add 
ntob — add element /; to bag b; n — the "conjugate" of n, it is + 1 if n is even and n — 1 if is odd; #b — the number of 
elements in a bag b. 
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lout, rout = [[0]f, [[0]f; 



lin,rin = □, □ ; 
L,R =0, 0; 



do lout 7^ □ ^> 

take / from lout ; 
if lin=/=D then add / to lin else 
I > add I to lin 



[] Z = L ^ (L := L + 2 1 © (L + 2); add L to rout 
[] Z < L — ^ add L to rout 



fi 



[] rout 7^ □ ^ 

take r from rout ; 
if r/« 7^ □ then add r to rin else 
r> add r to r/n 



[]r = /;^ (/;:=/; + 2 i©(/? + 2); add/?toZoMf 

\\r <R^ add to /owf 

fl 



od 



Figure 4: The Rabin's choice coordination algorithm in the pGCL (adapted from HI). 

original system, we must therefore compute a suitable abstraction prior to performance analysis. Never- 
theless, with our proposed technique, it is possible to defeat the overhead incun^ed by model checking 
the unbounded state system just by model checking its information-preserving abstraction. 

One performance property of interest is captured by computing the minimum probability Pmin, that 
within a finite number of steps T, the tourists eventually converge at the same meeting place on termina- 
tion. In the logic PCTL ||6l, directly supported by the PRISM tool, we express this property as 



where represents the total number of tourists who will initially decide on where to meet i.e. N = A+ B. 

Similarly, with the reward structures |[T2l of the PCTL we compute the expected number of rounds 
of the protocol until termination. Again, this will be done on the protocol's abstraction using the specifi- 
cation: 



The parameters Rmin and Rmax respectively represent the expected minimum and maximum rewards 
(expected number of rounds) until the tourists eventually converge at the same meeting place. We note 
that states where the tourists have not yet met the convergence condition ai^e worth a reward value of one. 

In the sections that follow, we explain how we identify essential behaviours of the algorithm that 
will permit the construction of an information-preserving abstraction upon which the analysis can be 
performed. 

5.4 An information-preserving abstraction 

As earlier stated, even though the Rabin's algorithm has unbounded state behaviour, it is not data in- 
dependent since the probabilistic update increments the variables L,R etc. However there is still an 



Pmin =l[true U-^ {Min=N) \ {#rin=N)] 



(5) 



Rmin \ Rmax =1[F {#lin=N) \ {#rin=N)]. 



(6) 
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information-preserving abstraction, which we will now describe. 

Observe that although the noticeboard values are incremented, they always maintain \L — R\ < 2. In 
terms of the algorithm, the only information that needs to be preserved is the value L — R and whether 
L,R aie odd or even. Finally, the relative values of the tourists' numbers to L and R also need to be 
recorded, as well as their location. This generates an information-preserving abstraction. In practice, we 
characterise the relationship between the noticeboard values using a fresh variable we call slot, which 
can only take values in {0, 1,2} — since the noticeboard values and hence the notepad values can only 
lie in one of these slots for any given state of the system. We define the slot variable as follows and 
interpret transitions in the abstract state with respect to the slot values: 

r if L = R 
slot = < 1 if L = R-2y R = L-1 
\ 1 if L = R . 

In the section that follows, we explain the performance results derived from the information-preserving 
abstraction. The results nevertheless give a precise summary of the performance of the original system. 

5.5 Experimental results 

We model the abstract behaviour discussed above for the base cases of even and odd number of tourists 
(A^ = 2,3) in the PRISM language, and similarly analyse the performance results as captured by the 
properties in (|5]l and using the experimentation facility of the tool. A similar model construction and 
analysis for larger values of A'^ is also possible by repeating the same technique although very laborious. 
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Fig. |5] captures the performance characteristics of the information-preserving abstraction of the Ra- 
bin's algorithm. It clearly establishes the termination property of the unbounded state system using just 
its abstraction: note that both graphs converge to probability 1. In the original unbounded state system, 
achieving this is practically impossible. See the original model in the compendium of case studies at HI. 

We also observe (Fig.O that the expected minimum and maximum number of rounds until termina- 
tion can be model checked, and hence nevertheless gives an exact bound on the number of steps required 
for the unbounded state system to terminate. Again, in the unbounded state system, the result of comput- 
ing Rmax for example is infinity, which in the PRISM tool is interpreted to mean that it is not possible 
for a terminating (or convergence) condition to be reached. 

6 Discussion 

While some probabilistic program logics allow programs to be compared even at abstract levels, for 
example using the techniques in IHO, the underlying logic of the pGCL supports the notion of program 
refinement and hence compositionality. This makes it easy to relate refinement over concrete states to 
their abstract counterparts and furthermore with the other probabilistic program logics, given any context. 

Other approaches seek to use variations of counterexample guided predicate abstraction ifTOl |71 to 
automate finding sets of predicates which generate finer abstractions. One way to see the relationship 
with our approach would be to note that when an abstraction is observed to be information-preserving 
(according to Lem. [3] for example) then further refinement is unnecessary. Kwiatkowska et al. ifTTI 
propose an approach to estimate the accuracy of the analysis implied by any abstraction, confirming that 
for information-preserving abstractions the analysis is exact. 

On the application level, one way to see the usefulness of our technique is in the recent research 
direction of linking proof -based verification with model checking for probabilistic systems ifTSl [191 . 
Since proof-based verification can cope with proofs over infinite state systems, a key challenge with this 
technique is then the identification and constructing of information-preserving abstractions upon which 
a model checking algorithmic verification can be performed. This is still an open problem. 

7 Conclusion and future work 

In this paper we have developed the theory of predicate abstraction for probabilistic programs within the 
framework of expectation transformers. We have similarly established a criterion to help discover when 
abstractions do not lose information especially for probabilistic programs; and we have demonstrated the 
applicability of the results to data independent programs (or at least their approximations). 

Whilst our theoretical approach identifies when a set of predicates is information-preserving, it does 
not provide assistance for finding one. Even though we have computed the abstraction by hand, we 
quickly remark that applying the manual construction technique for N > 3 would seem a laborious task. 
Note that our technique results in a huge success for verifying the termination condition of the algorithm 
when compared with the concrete system as modeled in the compendium of case studies at the URL [H. 

However, a future direction for this work would be to develop an automated strategy which would 
construct abstractions "on the fly", given that our theoretical framework is rich enough to provide intu- 
itions to identifying sets of suitable predicates to aid the construction of information-preserving abstrac- 
tions. 

Acknowledgement: The authors are grateful to the anonymous reviewers for their helpful comments. 
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